Captive Forum considers the human element in risk, cyber security

Human error may cause 90 percent of accidents and be responsible for more than half of all cyber-attacks, but the human element is often underrated when comes to risk management.

For captive owners and managers, even direct linkages between root causes and the risks they are trying to insure against can be overlooked.

For medical malpractice, the main type of risk insured by captives in the Cayman Islands, such a connection exists between employee engagement, patient satisfaction and medical malpractice, says Todd Jones, global head of corporate risk and broking at Willis Towers Watson.

Speaking at the Cayman Captive Forum last week, Mr. Jones said, “When organizations typically talk about medical malpractice, my sense is they are not necessarily focused on employee engagement […] and they should be because there is a direct link.”

He noted there is a relationship between risks to human capital, such as skill shortages, a misaligned corporate culture or unclear expectations and risks created by employees in terms of compliance, fraud or reputation.

“We have the view that the underlying issue is around the people, not the processes or the training.”

To illustrate this argument, Mr. Jones pointed to the Wells Fargo scandal in 2016 in which the bank attracted $185 million in fines for creating 1.5 million checking and savings accounts and 500,000 credit cards that its customers never authorized.

The scandal was caused by aggressive targets for employees and an incentive-compensation program to sell more financial products.

While the bank had historically managed risk well, especially credit and market risks which can be measured and monitored more readily, it was less able to identify harmful employee business practices.

“The firm had all the right the policies and procedures, they had all the right governance,” he said. “What is going on in the heads of the colleagues at the organization was ultimately the risk that played out.”

Cyber security is another example for the intersection of people and risk, he noted, given that employees are the main cause of cyber incidents, whether through negligence or malicious insiders. Two-thirds of all cyber insurance claims are caused by employee negligence and malfeasance. “It is not a breakdown in technology, it is people doing things they should not have done,” he said.

Cyber risk is the most impactful risk because it sits at the intersection of people risk, economic risk, regulatory risk, technology risk, political risk and operational risk, which is why it is so difficult to mitigate, Mr. Jones said.

“We think that if you embrace the people aspect of the risk and include that as part of the mitigation strategy process, you will have a higher likelihood to get a better outcome.”

Cyber security expert Michael Bazzell, another keynote presenter at the Captive Forum, demonstrated on stage how stolen databases of customer data are readily available on the internet and can easily be exploited, even by less sophisticated amateur hackers, to collect passwords and log-in information and tailor a dedicated attack on companies.

The attacks of the immediate future, he warned, will be more sophisticated and perfected for each target company.

While cyber-attacks in the past had been typically carried out by professional hackers, data leaks such as those of CIA and NSA hacking tools on Wikileaks, had now enabled amateurs to carry out the attacks.

And although the data leaks had led to a huge number of ransomware attacks this year, Mr. Bazzell cautioned that money is often not the prime motivation of the hackers. “Someone will leak your data just because they can,” he said.

For individuals, Mr. Bazzell recommended changing all passwords using a password manager. Businesses that have a website with a user log-in are always a target and should do a security audit.

All businesses should regularly back-up all their data because in 2018 a ransomware attack is likely, he advised.